Re: [whatwg/fetch] Should we send an Origin header for no-cors fetches? (#225) from Francois Marier on 2016-11-29 (public-webapps-github@w3.org from November 2016)

From: Francois Marier <notifications@github.com>
Date: Tue, 29 Nov 2016 11:59:10 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/225/263681215@github.com>

Facebook uses that header when it's available, otherwise, I think they fall back to checking the Referrer, which is a lot less reliable.

To prevent login CSRF, we can't rely on cookies because users don't have cookies at that point (for various reasons, not every site is able to set pre-login cookies).

I'm open to renaming the header if Chrome is on board too (and we think we can do it), but what Chrome does seem like a worthwhile mechanism, especially if we want sites to move away from relying on Referrer on their login pages.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/225#issuecomment-263681215

Received on Tuesday, 29 November 2016 19:59:44 UTC